Over 73,000 Uniswap liquidity providers (LPs), users who provide the tokens used for trading on the Uniswap protocol, just learned a harsh lesson about a classic scam. Crypto is notorious for being a hunting ground for scammers and hackers, and one of the most effective strategies is phishing attacks. Because cryptocurrencies and NFTs are protected by the impenetrable security of blockchain technology, the easiest way to steal blockchain assets is through trickery.
In Web 2.0, a phishing attack is a type of hack that usually involves a fake email with an attachment containing a virus that attacks the recipient's device or, worse, quietly sits in the background and gathers their personal data. In Web 3.0, a phishing attack is often a fake front-end website cloned from a real crypto project designed to trick the user into signing a malicious smart contract that transfers their crypto holdings to the attacker's wallet, and can come in the form of an email (if known) or through a malicious token. Victims are lured in by the promise of an "airdrop" – free distribution of tokens commonly issued as a reward for early users, and the malicious code is executed when they claim the airdrop. Unlike a pump-and-dump crypto scam, a phishing attack uses a smart contract to directly steal a victim's holdings from their wallet.
According to CoinDesk, the Uniswap attacker transferred fake Uniswap LP tokens into users' wallets to trick them into believing they received an airdrop from Uniswap, and upon investigation were led to a fake website that was a Uniswap clone. The website prompted them to connect their wallet and sign a transaction to trade their LP tokens for UNI tokens, thus completing the airdrop. Instead, it executed malicious code and stole all of their real Uniswap LP tokens. One user, who was providing WBTC and USDC, lost more than $8 million to the attack.
Don't Touch Randomly Airdropped Tokens
Conducting a cryptocurrency scam is not hard. It is relatively easy to design and deploy a malicious smart contract, clone an open-source front-end, and then send the infected tokens to all potential victims. These victims will investigate where the tokens came from, as the tokens do show up on Etherscan and have a dollar value, and in following the tokens' website URL will be presented with a page requiring them to connect their wallet and sign a transaction to claim their airdrop. It is necessary to do cursory research prior to signing any transactions promising free crypto, especially for large projects like Uniswap, and treat all free crypto as a potential scam.
If a respected protocol like Uniswap is going to conduct an airdrop, it will make an announcement on its blog and official social media channels. Legitimate crypto projects also very rarely conduct airdrops by "pushing" the tokens to their recipients, as it is expensive and unsafe to do. Instead, it is standard to use a "pull" method of delivery, where recipients go to the official website and collect the tokens from an airdrop page. The pull method is cheaper on the sender and much safer for the recipient, as they know where the tokens came from. Finally, legitimate projects will verify and upload their smart contract code on block explorers like Etherscan, which is the only way to know what's in a transaction without signing it.
The first thing a user should do if they receive tokens from a Web3, metaverse, or blockchain project is to check the project's official blog and social media channels for a post about an airdrop, and if none is announced then the tokens received should be treated as suspicious. It is important to remember that malicious tokens can only attack if they are interacted with. While there isn't much that can be done for the victims of the Uniswap phishing attack, everyone else should be immediately suspicious of tokens received via a pushed airdrop, as this is not an industry-standard way of conducting airdrops and is often used for phishing attacks.
Source: CoinDesk